The complexity-theoretic no-cloning theorem1 says there is no
generic attack much better than random guessing. What do we mean by a
generic attack? Suppose there is a verification machine that checks whether
or not a given state |fñ is equal to a
good quantum money state |ψñ. The
machine takes as input any quantum
state |fñ; it outputs 0 if |fñ = |ψñ and 1 if
|fñ is orthogonal to |ψñ. In either case,
it also outputs the quantum state is left
over after the measurement. Aaronson
showed that, as long as that machine is
a black box, it can fall into the hands of
a counterfeiter without compromising
the quantum money scheme. In other
words, a counterfeiter with access to
some quantum money as well as the
verification machine would either need

Figure 3. Quantum money from knots.

Figure 5. Reidemeister moves.

to take the machine apart to figure out
how it worked or else use the machine
an exponentially large number of times
in order to make any more quantum
money than he or she started with.

This theorem does not guarantee
any particular scheme is secure. For
every quantum money scheme that has
been proposed, the states |ψñ that are
“good” quantum money states are not
completely unknown since they come
from a restricted set of states generated by the mint’s algorithm. If this
set of states is small enough then having a “black box” verifier may allow a
forger to copy a money state; we have
already seen an example of this with
Wiesner’s scheme. And it might also
be possible to design attacks on public-key quantum money that do not use

Figure 4. A knot.

the verifier as a black box. So in order
to evaluate any public-key quantum
money scheme, we will have to look at
the details of the verifier and the set of
valid quantum money states that are
minted by the bank.

Quantum Coins

One of the first applications of the
complexity-theoretic no-cloning theorem was given by Mosca and Stebila. 18
They showed it might be possible
to have public-key quantum money
scheme in which every piece of quantum money is identical: they called
these quantum coins. 18, 19

Quantum coins, like ordinary
coins, are all the same with no marks
distinguishing each coin. One advantage of quantum coins is they are
anonymous—no one can tell one coin
from another, so it is difficult to keep
track of where and when a particular
coin was spent.

Mosca and Stebila had two results
about quantum coins. They extended
the complexity-theoretic no-cloning theorem to quantum coins. If a
would-be counterfeiter has access to a
machine that verifies quantum coins
but cannot look inside that machine,
then there is no way to make more
coins than he or she started with in any
reasonable amount of time. This result
gives some hope a public-key quantum
coin protocol could be discovered.

Their second result is based on
blind quantum computation (
introduced by Childs9 and studied by
Broadbent et al. 6). Blind quantum
computation is a protocol whereby a
quantum computer with very limited
resources (sometimes called a quantum calculator) runs a polynomial
size quantum circuit with the help
of a server, where the server does not
learn anything about the circuit performed (except an upper bound on its
size). In the protocol introduced by
Mosca and Stebila, the merchant runs
an obfuscated verification algorithm
from which he or she learns nothing
except the final answer: that it is or is
not a valid coin. However, this requires
(quantum) communication with
the bank, and so this quantum coin
scheme is a private-key protocol.

To date there is no published concrete proposal for public-key quantum coins.